train-core 2.0.5 → 2.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84c1a550a64252e1bc30666a40359220d3afdc76403ee8bd580c4fb49cd54c49
-  data.tar.gz: 545681f44366939e9fa22e92b5bd8397fae14b0e5407ab92cdfc456679d5dd66
+  metadata.gz: 6296676d2fb3138e2e4e3f660e6bc9d871f10419318ba3344ca472c1eca7f0d2
+  data.tar.gz: 8c5d1f00ee0c1e4dffa9520c8c622cd5333716a90576d52dfc5856f2ce7bf6de
 SHA512:
-  metadata.gz: 25c0429f61b1b911e4d32952e53815f689ea9e76eee8fc1d1a1bb8f04f1be82b6f442d9ee11cb1ac91cd162c98606ad9961290fc177625af32dd6ab72a90e258
-  data.tar.gz: 0d1e3a0368830194f669f6623b253679d847a0018137c8a37610d1648d94d91e28497d8e34bd4f50a20515662f8dee890b70908121e81acf96b98b1788e2ccbd
+  metadata.gz: 97150adffc1f18041eb3c1f7c77c439920674a2f1d40ef90b7720eeb808bc98709d4cd646af0fae949a47229703dc19988ac2ca54b21e1de5aeb2b71a873a4d1
+  data.tar.gz: '028b9286800362e7e945c6fa5d3efde308e5b917233e7e9367b00ba289e87902ac4a8ccfcb55bf6879d7548340a40156e0cf2a05035c139d86d216dd27bda036'

data/lib/train/transports/ssh.rb

@@ -0,0 +1,269 @@
+# encoding: utf-8
+#
+# Author:: Fletcher Nichol (<fnichol@nichol.ca>)
+# Author:: Dominik Richter (<dominik.richter@gmail.com>)
+# Author:: Christoph Hartmann (<chris@lollyrock.com>)
+#
+# Copyright (C) 2014, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'net/ssh'
+require 'net/scp'
+require 'train/errors'
+
+module Train::Transports
+  # Wrapped exception for any internally raised SSH-related errors.
+  #
+  # @author Fletcher Nichol <fnichol@nichol.ca>
+  class SSHFailed < Train::TransportError; end
+  class SSHPTYFailed < Train::TransportError; end
+
+  # A Transport which uses the SSH protocol to execute commands and transfer
+  # files.
+  #
+  # @author Fletcher Nichol <fnichol@nichol.ca>
+  class SSH < Train.plugin(1) # rubocop:disable Metrics/ClassLength
+    name 'ssh'
+
+    require 'train/transports/ssh_connection'
+    require 'train/transports/cisco_ios_connection'
+
+    # add options for submodules
+    include_options Train::Extras::CommandWrapper
+
+    # common target configuration
+    option :host,      required: true
+    option :port,      default: 22, required: true
+    option :user,      default: 'root', required: true
+    option :key_files, default: nil
+    option :password,  default: nil
+
+    # additional ssh options
+    option :keepalive, default: true
+    option :keepalive_interval, default: 60
+    option :connection_timeout, default: 15
+    option :connection_retries, default: 5
+    option :connection_retry_sleep, default: 1
+    option :max_wait_until_ready, default: 600
+    option :compression, default: false
+    option :pty, default: false
+    option :proxy_command, default: nil
+    option :bastion_host, default: nil
+    option :bastion_user, default: 'root'
+    option :bastion_port, default: 22
+    option :non_interactive, default: false
+    option :verify_host_key, default: false
+
+    option :compression_level do |opts|
+      # on nil or false: set compression level to 0
+      opts[:compression] ? 6 : 0
+    end
+
+    # (see Base#connection)
+    def connection(state = {}, &block)
+      opts = merge_options(options, state || {})
+      validate_options(opts)
+      conn_opts = connection_options(opts)
+
+      if defined?(@connection) && @connection_options == conn_opts
+        reuse_connection(&block)
+      else
+        create_new_connection(conn_opts, &block)
+      end
+    end
+
+    private
+
+    def validate_options(options)
+      super(options)
+
+      key_files = Array(options[:key_files])
+      options[:auth_methods] ||= ['none']
+
+      unless key_files.empty?
+        options[:auth_methods].push('publickey')
+        options[:keys_only] = true if options[:password].nil?
+        options[:key_files] = key_files
+      end
+
+      unless options[:password].nil?
+        options[:auth_methods].push('password', 'keyboard-interactive')
+      end
+
+      if options[:auth_methods] == ['none']
+        if ssh_known_identities.empty?
+          fail Train::ClientError,
+               'Your SSH Agent has no keys added, and you have not specified a password or a key file'
+        else
+          logger.debug('[SSH] Using Agent keys as no password or key file have been specified')
+          options[:auth_methods].push('publickey')
+        end
+      end
+
+      if options[:pty]
+        logger.warn('[SSH] PTY requested: stderr will be merged into stdout')
+      end
+
+      if [options[:proxy_command], options[:bastion_host]].all? { |type| !type.nil? }
+        fail Train::ClientError, 'Only one of proxy_command or bastion_host needs to be specified'
+      end
+
+      super
+      self
+    end
+
+    # Creates an SSH Authentication KeyManager instance and saves it for
+    # potential future reuse.
+    #
+    # @return [Hash] hash of SSH Known Identities
+    # @api private
+    def ssh_known_identities
+      # Force KeyManager to load the key(s)
+      @manager ||= Net::SSH::Authentication::KeyManager.new(nil).each_identity {}
+      @manager.known_identities
+    end
+
+    # Builds the hash of options needed by the Connection object on
+    # construction.
+    #
+    # @param opts [Hash] merged configuration and mutable state data
+    # @return [Hash] hash of connection options
+    # @api private
+    def connection_options(opts)
+      connection_options = {
+        logger:                 logger,
+        user_known_hosts_file:  '/dev/null',
+        hostname:               opts[:host],
+        port:                   opts[:port],
+        username:               opts[:user],
+        compression:            opts[:compression],
+        compression_level:      opts[:compression_level],
+        keepalive:              opts[:keepalive],
+        keepalive_interval:     opts[:keepalive_interval],
+        timeout:                opts[:connection_timeout],
+        connection_retries:     opts[:connection_retries],
+        connection_retry_sleep: opts[:connection_retry_sleep],
+        max_wait_until_ready:   opts[:max_wait_until_ready],
+        auth_methods:           opts[:auth_methods],
+        keys_only:              opts[:keys_only],
+        keys:                   opts[:key_files],
+        password:               opts[:password],
+        forward_agent:          opts[:forward_agent],
+        proxy_command:          opts[:proxy_command],
+        bastion_host:           opts[:bastion_host],
+        bastion_user:           opts[:bastion_user],
+        bastion_port:           opts[:bastion_port],
+        non_interactive:        opts[:non_interactive],
+        transport_options:      opts,
+      }
+      # disable host key verification. The hash key and value to use
+      # depends on the version of net-ssh in use.
+      connection_options[verify_host_key_option] = verify_host_key_value(opts[:verify_host_key])
+
+      connection_options
+    end
+
+    #
+    # Returns the correct host-key-verification option key to use depending
+    # on what version of net-ssh is in use. In net-ssh <= 4.1, the supported
+    # parameter is `paranoid` but in 4.2, it became `verify_host_key`
+    #
+    # `verify_host_key` does not work in <= 4.1, and `paranoid` throws
+    # deprecation warnings in >= 4.2.
+    #
+    # While the "right thing" to do would be to pin train's dependency on
+    # net-ssh to ~> 4.2, this will prevent InSpec from being used in
+    # Chef v12 because of it pinning to a v3 of net-ssh.
+    #
+    def verify_host_key_option
+      current_net_ssh = Net::SSH::Version::CURRENT
+      new_option_version = Net::SSH::Version[4, 2, 0]
+
+      current_net_ssh >= new_option_version ? :verify_host_key : :paranoid
+    end
+
+    # Likewise, version <5 accepted false; 5+ requires :never or will
+    # issue a deprecation warning. This method allows a lot of common
+    # things through.
+    def verify_host_key_value(given)
+      current_net_ssh = Net::SSH::Version::CURRENT
+      new_value_version = Net::SSH::Version[5, 0, 0]
+      if current_net_ssh >= new_value_version
+        # 5.0+ style
+        {
+          # It's not a boolean anymore.
+          'true' => :always,
+          'false' => :never,
+          true => :always,
+          false => :never,
+          # May be correct value, but strings from JSON config
+          'always' => :always,
+          'never' => :never,
+          nil => :never,
+        }.fetch(given, given)
+      else
+        # up to 4.2 style
+        {
+          'true' => true,
+          'false' => false,
+          nil => false,
+        }.fetch(given, given)
+      end
+    end
+
+    # Creates a new SSH Connection instance and save it for potential future
+    # reuse.
+    #
+    # @param options [Hash] conneciton options
+    # @return [Ssh::Connection] an SSH Connection instance
+    # @api private
+    def create_new_connection(options, &block)
+      if defined?(@connection)
+        logger.debug("[SSH] shutting previous connection #{@connection}")
+        @connection.close
+      end
+
+      @connection_options = options
+      conn = Connection.new(options, &block)
+
+      # Cisco IOS requires a special implementation of `Net:SSH`. This uses the
+      # SSH transport to identify the platform, but then replaces SSHConnection
+      # with a CiscoIOSConnection in order to behave as expected for the user.
+      if defined?(conn.platform.cisco_ios?) && conn.platform.cisco_ios?
+        ios_options = {}
+        ios_options[:host] = @options[:host]
+        ios_options[:user] = @options[:user]
+        # The enable password is used to elevate privileges on Cisco devices
+        # We will also support the sudo password field for the same purpose
+        # for the interim. # TODO
+        ios_options[:enable_password] = @options[:enable_password] || @options[:sudo_password]
+        ios_options[:logger] = @options[:logger]
+        ios_options.merge!(@connection_options)
+        conn = CiscoIOSConnection.new(ios_options)
+      end
+
+      @connection = conn unless conn.nil?
+    end
+
+    # Return the last saved SSH connection instance.
+    #
+    # @return [Ssh::Connection] an SSH Connection instance
+    # @api private
+    def reuse_connection
+      logger.debug("[SSH] reusing existing connection #{@connection}")
+      yield @connection if block_given?
+      @connection
+    end
+  end
+end

data/lib/train/transports/ssh_connection.rb

@@ -0,0 +1,311 @@
+# encoding: utf-8
+#
+# Author:: Fletcher Nichol (<fnichol@nichol.ca>)
+# Author:: Dominik Richter (<dominik.richter@gmail.com>)
+# Author:: Christoph Hartmann (<chris@lollyrock.com>)
+#
+# Copyright (C) 2014, Fletcher Nichol
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'net/ssh'
+require 'net/scp'
+require 'timeout'
+
+class Train::Transports::SSH
+  # A Connection instance can be generated and re-generated, given new
+  # connection details such as connection port, hostname, credentials, etc.
+  # This object is responsible for carrying out the actions on the remote
+  # host such as executing commands, transferring files, etc.
+  #
+  # @author Fletcher Nichol <fnichol@nichol.ca>
+  class Connection < BaseConnection # rubocop:disable Metrics/ClassLength
+    attr_reader :hostname
+    def initialize(options)
+      # Track IOS command retries to prevent infinite loop on IOError. This must
+      # be done before `super()` because the parent runs detection commands.
+      @ios_cmd_retries = 0
+      super(options)
+      @username               = @options.delete(:username)
+      @hostname               = @options.delete(:hostname)
+      @port                   = @options[:port] # don't delete from options
+      @connection_retries     = @options.delete(:connection_retries)
+      @connection_retry_sleep = @options.delete(:connection_retry_sleep)
+      @max_wait_until_ready   = @options.delete(:max_wait_until_ready)
+      @max_ssh_sessions       = @options.delete(:max_ssh_connections) { 9 }
+      @session                = nil
+      @transport_options      = @options.delete(:transport_options)
+      @cmd_wrapper            = nil
+      @proxy_command          = @options.delete(:proxy_command)
+      @bastion_host           = @options.delete(:bastion_host)
+      @bastion_user           = @options.delete(:bastion_user)
+      @bastion_port           = @options.delete(:bastion_port)
+      @cmd_wrapper            = CommandWrapper.load(self, @transport_options)
+    end
+
+    # (see Base::Connection#close)
+    def close
+      return if @session.nil?
+      logger.debug("[SSH] closing connection to #{self}")
+      session.close
+    ensure
+      @session = nil
+    end
+
+    def ssh_opts
+      level = logger.debug? ? 'VERBOSE' : 'ERROR'
+      fwd_agent = options[:forward_agent] ? 'yes' : 'no'
+
+      args  = %w{ -o UserKnownHostsFile=/dev/null }
+      args += %w{ -o StrictHostKeyChecking=no }
+      args += %w{ -o IdentitiesOnly=yes } if options[:keys]
+      args += %w{ -o BatchMode=yes } if options[:non_interactive]
+      args += %W( -o LogLevel=#{level} )
+      args += %W( -o ForwardAgent=#{fwd_agent} ) if options.key?(:forward_agent)
+      Array(options[:keys]).each do |ssh_key|
+        args += %W( -i #{ssh_key} )
+      end
+      args
+    end
+
+    def check_proxy
+      [@proxy_command, @bastion_host].any? { |type| !type.nil? }
+    end
+
+    def generate_proxy_command
+      return @proxy_command unless @proxy_command.nil?
+      args = %w{ ssh }
+      args += ssh_opts
+      args += %W( #{@bastion_user}@#{@bastion_host} )
+      args += %W( -p #{@bastion_port} )
+      args += %w{ -W %h:%p }
+      args.join(' ')
+    end
+
+    # (see Base::Connection#login_command)
+    def login_command
+      args = ssh_opts
+      args += %W( -o ProxyCommand='#{generate_proxy_command}' ) if check_proxy
+      args += %W( -p #{@port} )
+      args += %W( #{@username}@#{@hostname} )
+      LoginCommand.new('ssh', args)
+    end
+
+    # (see Base::Connection#upload)
+    def upload(locals, remote)
+      waits = []
+      Array(locals).each do |local|
+        opts = File.directory?(local) ? { recursive: true } : {}
+
+        waits.push session.scp.upload(local, remote, opts) do |_ch, name, sent, total|
+          logger.debug("Uploaded #{name} (#{total} bytes)") if sent == total
+        end
+        waits.shift.wait while waits.length >= @max_ssh_sessions
+      end
+      waits.each(&:wait)
+    rescue Net::SSH::Exception => ex
+      raise Train::Transports::SSHFailed, "SCP upload failed (#{ex.message})"
+    end
+
+    def download(remotes, local)
+      waits = []
+      Array(remotes).map do |remote|
+        opts = file(remote).directory? ? { recursive: true } : {}
+        waits.push session.scp.download(remote, local, opts) do |_ch, name, recv, total|
+          logger.debug("Downloaded #{name} (#{total} bytes)") if recv == total
+        end
+        waits.shift.wait while waits.length >= @max_ssh_sessions
+      end
+      waits.each(&:wait)
+    rescue Net::SSH::Exception => ex
+      raise Train::Transports::SSHFailed, "SCP download failed (#{ex.message})"
+    end
+
+    # (see Base::Connection#wait_until_ready)
+    def wait_until_ready
+      delay = 3
+      session(
+        retries: @max_wait_until_ready / delay,
+        delay:   delay,
+        message: "Waiting for SSH service on #{@hostname}:#{@port}, " \
+                 "retrying in #{delay} seconds",
+      )
+      run_command(PING_COMMAND.dup)
+    end
+
+    def uri
+      "ssh://#{@username}@#{@hostname}:#{@port}"
+    end
+
+    private
+
+    PING_COMMAND = "echo '[SSH] Established'".freeze
+
+    RESCUE_EXCEPTIONS_ON_ESTABLISH = [
+      Errno::EACCES, Errno::EADDRINUSE, Errno::ECONNREFUSED, Errno::ETIMEDOUT,
+      Errno::ECONNRESET, Errno::ENETUNREACH, Errno::EHOSTUNREACH, Errno::EPIPE,
+      Net::SSH::Disconnect, Net::SSH::AuthenticationFailed, Net::SSH::ConnectionTimeout,
+      Timeout::Error
+    ].freeze
+
+    # Establish an SSH session on the remote host.
+    #
+    # @param opts [Hash] retry options
+    # @option opts [Integer] :retries the number of times to retry before
+    #   failing
+    # @option opts [Float] :delay the number of seconds to wait until
+    #   attempting a retry
+    # @option opts [String] :message an optional message to be logged on
+    #   debug (overriding the default) when a rescuable exception is raised
+    # @return [Net::SSH::Connection::Session] the SSH connection session
+    # @api private
+    def establish_connection(opts)
+      logger.debug("[SSH] opening connection to #{self}")
+      if check_proxy
+        require 'net/ssh/proxy/command'
+        @options[:proxy] = Net::SSH::Proxy::Command.new(generate_proxy_command)
+      end
+      Net::SSH.start(@hostname, @username, @options.clone.delete_if { |_key, value| value.nil? })
+    rescue *RESCUE_EXCEPTIONS_ON_ESTABLISH => e
+      if (opts[:retries] -= 1) <= 0
+        logger.warn("[SSH] connection failed, terminating (#{e.inspect})")
+        raise Train::Transports::SSHFailed, 'SSH session could not be established'
+      end
+
+      if opts[:message]
+        logger.debug("[SSH] connection failed (#{e.inspect})")
+        message = opts[:message]
+      else
+        message = "[SSH] connection failed, retrying in #{opts[:delay]}"\
+                  " seconds (#{e.inspect})"
+      end
+      logger.info(message)
+
+      sleep(opts[:delay])
+      retry
+    end
+
+    def file_via_connection(path)
+      if os.aix?
+        Train::File::Remote::Aix.new(self, path)
+      elsif os.solaris?
+        Train::File::Remote::Unix.new(self, path)
+      elsif os[:name] == 'qnx'
+        Train::File::Remote::Qnx.new(self, path)
+      else
+        Train::File::Remote::Linux.new(self, path)
+      end
+    end
+
+    def run_command_via_connection(cmd, &data_handler)
+      cmd.dup.force_encoding('binary') if cmd.respond_to?(:force_encoding)
+      logger.debug("[SSH] #{self} (#{cmd})")
+
+      reset_session if session.closed?
+      exit_status, stdout, stderr = execute_on_channel(cmd, &data_handler)
+
+      # Since `@session.loop` succeeded, reset the IOS command retry counter
+      @ios_cmd_retries = 0
+
+      CommandResult.new(stdout, stderr, exit_status)
+    rescue Net::SSH::Exception => ex
+      raise Train::Transports::SSHFailed, "SSH command failed (#{ex.message})"
+    rescue IOError
+      # Cisco IOS occasionally closes the stream prematurely while we are
+      # running commands to detect if we need to switch to the Cisco IOS
+      # transport. This retries the command if this is the case.
+      # See:
+      #  https://github.com/inspec/train/pull/271
+      logger.debug('[SSH] Possible Cisco IOS race condition, retrying command')
+
+      # Only attempt retry up to 5 times to avoid infinite loop
+      @ios_cmd_retries += 1
+      raise if @ios_cmd_retries >= 5
+
+      retry
+    end
+
+    # Returns a connection session, or establishes one when invoked the
+    # first time.
+    #
+    # @param retry_options [Hash] retry options for the initial connection
+    # @return [Net::SSH::Connection::Session] the SSH connection session
+    # @api private
+    def session(retry_options = {})
+      @session ||= establish_connection({
+        retries: @connection_retries.to_i,
+        delay:   @connection_retry_sleep.to_i,
+      }.merge(retry_options))
+    end
+
+    def reset_session
+      @session = nil
+    end
+
+    # String representation of object, reporting its connection details and
+    # configuration.
+    #
+    # @api private
+    def to_s
+      options_to_print = @options.clone
+      options_to_print[:password] = '<hidden>' if options_to_print.key?(:password)
+      "#{@username}@#{@hostname}<#{options_to_print.inspect}>"
+    end
+
+    # Given a channel and a command string, it will execute the command on the channel
+    # and accumulate results in  @stdout/@stderr.
+    #
+    # @param channel [Net::SSH::Connection::Channel] an open ssh channel
+    # @param cmd [String] the command to execute
+    # @return [Integer] exit status or nil if exit-status/exit-signal requests
+    #         not received.
+    #
+    # @api private
+    def execute_on_channel(cmd, &data_handler)
+      stdout = stderr = ''
+      exit_status = nil
+      session.open_channel do |channel|
+        # wrap commands if that is configured
+        cmd = @cmd_wrapper.run(cmd) unless @cmd_wrapper.nil?
+
+        if @transport_options[:pty]
+          channel.request_pty do |_ch, success|
+            fail Train::Transports::SSHPTYFailed, 'Requesting PTY failed' unless success
+          end
+        end
+        channel.exec(cmd) do |_, success|
+          abort 'Couldn\'t execute command on SSH.' unless success
+          channel.on_data do |_, data|
+            yield(data) unless data_handler.nil?
+            stdout += data
+          end
+
+          channel.on_extended_data do |_, _type, data|
+            yield(data) unless data_handler.nil?
+            stderr += data
+          end
+
+          channel.on_request('exit-status') do |_, data|
+            exit_status = data.read_long
+          end
+
+          channel.on_request('exit-signal') do |_, data|
+            exit_status = data.read_long
+          end
+        end
+      end
+      session.loop
+      [exit_status, stdout, stderr]
+    end
+  end
+end

data/lib/train/transports/winrm.rb

@@ -0,0 +1,207 @@
+# encoding: utf-8
+#
+# Author:: Salim Afiune (<salim@afiunemaya.com.mx>)
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Author:: Fletcher Nichol (<fnichol@nichol.ca>)
+# Author:: Dominik Richter (<dominik.richter@gmail.com>)
+# Author:: Christoph Hartmann (<chris@lollyrock.com>)
+#
+# Copyright (C) 2014, Salim Afiune
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'rbconfig'
+require 'uri'
+require 'train/errors'
+
+module Train::Transports
+  # Wrapped exception for any internally raised WinRM-related errors.
+  #
+  # @author Fletcher Nichol <fnichol@nichol.ca>
+  class WinRMFailed < Train::TransportError; end
+
+  # A Transport which uses WinRM to execute commands and transfer files.
+  #
+  # @author Matt Wrock <matt@mattwrock.com>
+  # @author Salim Afiune <salim@afiunemaya.com.mx>
+  # @author Fletcher Nichol <fnichol@nichol.ca>
+  class WinRM < Train.plugin(1) # rubocop:disable ClassLength
+    name 'winrm'
+
+    require 'train/transports/winrm_connection'
+
+    # ref: https://github.com/winrb/winrm#transports
+    SUPPORTED_WINRM_TRANSPORTS = %i(negotiate ssl plaintext kerberos).freeze
+
+    # common target configuration
+    option :host, required: true
+    option :port
+    option :user, default: 'administrator', required: true
+    option :password, nil
+    option :winrm_transport, default: :negotiate
+    option :winrm_disable_sspi, default: false
+    option :winrm_basic_auth_only, default: false
+    option :path, default: '/wsman'
+    option :ssl, default: false
+    option :self_signed, default: false
+
+    # additional winrm options
+    option :rdp_port, default: 3389
+    option :connection_retries, default: 5
+    option :connection_retry_sleep, default: 1
+    option :max_wait_until_ready, default: 600
+    option :ssl_peer_fingerprint, default: nil
+    option :kerberos_realm, default: nil
+    option :kerberos_service, default: nil
+    option :ca_trust_file, default: nil
+    # The amount of time in SECONDS for which each operation must get an ack
+    # from the winrm endpoint. Does not mean that the command has
+    # completed in this time, only that the server has ack'd the request.
+    option :operation_timeout, default: nil
+
+    def initialize(opts)
+      super(opts)
+      load_needed_dependencies!
+    end
+
+    # (see Base#connection)
+    def connection(state = nil, &block)
+      opts = merge_options(options, state || {})
+      validate_options(opts)
+      conn_opts = connection_options(opts)
+
+      if @connection && @connection_options == conn_opts
+        reuse_connection(&block)
+      else
+        create_new_connection(conn_opts, &block)
+      end
+    end
+
+    private
+
+    def validate_options(opts)
+      super(opts)
+
+      # set scheme and port based on ssl activation
+      scheme = opts[:ssl] ? 'https' : 'http'
+      port = opts[:port]
+      port = (opts[:ssl] ? 5986 : 5985) if port.nil?
+      winrm_transport = opts[:winrm_transport].to_sym
+      unless SUPPORTED_WINRM_TRANSPORTS.include?(winrm_transport)
+        fail Train::ClientError, "Unsupported transport type: #{winrm_transport.inspect}"
+      end
+
+      # remove leading '/'
+      path = (opts[:path] || '').sub(%r{^/+}, '')
+
+      opts[:endpoint] = "#{scheme}://#{opts[:host]}:#{port}/#{path}"
+    end
+
+    WINRM_FS_SPEC_VERSION = '~> 1.0'.freeze
+
+    # Builds the hash of options needed by the Connection object on
+    # construction.
+    #
+    # @param data [Hash] merged configuration and mutable state data
+    # @return [Hash] hash of connection options
+    # @api private
+    def connection_options(opts)
+      {
+        logger:                   logger,
+        transport:                opts[:winrm_transport].to_sym,
+        disable_sspi:             opts[:winrm_disable_sspi],
+        basic_auth_only:          opts[:winrm_basic_auth_only],
+        hostname:                 opts[:host],
+        endpoint:                 opts[:endpoint],
+        user:                     opts[:user],
+        password:                 opts[:password],
+        rdp_port:                 opts[:rdp_port],
+        connection_retries:       opts[:connection_retries],
+        connection_retry_sleep:   opts[:connection_retry_sleep],
+        max_wait_until_ready:     opts[:max_wait_until_ready],
+        no_ssl_peer_verification: opts[:self_signed],
+        realm:                    opts[:kerberos_realm],
+        service:                  opts[:kerberos_service],
+        ca_trust_file:            opts[:ca_trust_file],
+        ssl_peer_fingerprint:     opts[:ssl_peer_fingerprint],
+      }
+    end
+
+    # Creates a new WinRM Connection instance and save it for potential
+    # future reuse.
+    #
+    # @param options [Hash] conneciton options
+    # @return [WinRM::Connection] a WinRM Connection instance
+    # @api private
+    def create_new_connection(options, &block)
+      if @connection
+        logger.debug("[WinRM] shutting previous connection #{@connection}")
+        @connection.close
+      end
+
+      @connection_options = options
+      @connection = Connection.new(options, &block)
+    end
+
+    # (see Base#load_needed_dependencies!)
+    def load_needed_dependencies!
+      spec_version = WINRM_FS_SPEC_VERSION.dup
+      logger.debug('winrm-fs requested,' \
+        " loading WinRM::FS gem (#{spec_version})")
+      gem 'winrm-fs', spec_version
+      first_load = require 'winrm-fs'
+      load_winrm_transport!
+
+      if first_load
+        logger.debug('WinRM::FS library loaded')
+      else
+        logger.debug('WinRM::FS previously loaded')
+      end
+    rescue LoadError => e
+      logger.fatal(
+        "The `winrm-fs' gem is missing and must" \
+        ' be installed or cannot be properly activated. Run' \
+        " `gem install winrm-fs --version '#{spec_version}'`" \
+        ' or add the following to your Gemfile if you are using Bundler:' \
+        " `gem 'winrm-fs', '#{spec_version}'`.",
+      )
+      raise Train::UserError,
+            "Could not load or activate WinRM::FS (#{e.message})"
+    end
+
+    # Load WinRM::Transport code.
+    #
+    # @api private
+    def load_winrm_transport!
+      silence_warnings { require 'winrm-fs' }
+    end
+
+    # Return the last saved WinRM connection instance.
+    #
+    # @return [Winrm::Connection] a WinRM Connection instance
+    # @api private
+    def reuse_connection
+      logger.debug("[WinRM] reusing existing connection #{@connection}")
+      yield @connection if block_given?
+      @connection
+    end
+
+    def silence_warnings
+      old_verbose = $VERBOSE
+      $VERBOSE = nil
+      yield
+    ensure
+      $VERBOSE = old_verbose
+    end
+  end
+end

data/lib/train/transports/winrm_connection.rb

@@ -0,0 +1,200 @@
+# encoding: utf-8
+#
+# Author:: Salim Afiune (<salim@afiunemaya.com.mx>)
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Author:: Fletcher Nichol (<fnichol@nichol.ca>)
+# Author:: Dominik Richter (<dominik.richter@gmail.com>)
+# Author:: Christoph Hartmann (<chris@lollyrock.com>)
+#
+# Copyright (C) 2014, Salim Afiune
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+class Train::Transports::WinRM
+  # A Connection instance can be generated and re-generated, given new
+  # connection details such as connection port, hostname, credentials, etc.
+  # This object is responsible for carrying out the actions on the remote
+  # host such as executing commands, transferring files, etc.
+  #
+  # @author Fletcher Nichol <fnichol@nichol.ca>
+  class Connection < BaseConnection # rubocop:disable Metrics/ClassLength
+    attr_reader :hostname
+    def initialize(options)
+      super(options)
+      @hostname               = @options.delete(:hostname)
+      @rdp_port               = @options.delete(:rdp_port)
+      @connection_retries     = @options.delete(:connection_retries)
+      @connection_retry_sleep = @options.delete(:connection_retry_sleep)
+      @max_wait_until_ready   = @options.delete(:max_wait_until_ready)
+      @operation_timeout      = @options.delete(:operation_timeout)
+    end
+
+    # (see Base::Connection#close)
+    def close
+      return if @session.nil?
+      session.close
+    ensure
+      @session = nil
+    end
+
+    # (see Base::Connection#login_command)
+    def login_command
+      case RbConfig::CONFIG['host_os']
+      when /darwin/
+        login_command_for_mac
+      when /mswin|msys|mingw|cygwin|bccwin|wince|emc/
+        login_command_for_windows
+      when /linux/
+        login_command_for_linux
+      else
+        fail ActionFailed,
+             "Remote login not supported in #{self.class} " \
+             "from host OS '#{RbConfig::CONFIG['host_os']}'."
+      end
+    end
+
+    # (see Base::Connection#upload)
+    def upload(locals, remote)
+      file_manager.upload(locals, remote)
+    end
+
+    def download(remotes, local)
+      Array(remotes).each do |remote|
+        file_manager.download(remote, local)
+      end
+    end
+
+    # (see Base::Connection#wait_until_ready)
+    def wait_until_ready
+      delay = 3
+      session(
+        retry_limit: @max_wait_until_ready / delay,
+        retry_delay: delay,
+      )
+      run_command_via_connection(PING_COMMAND.dup)
+    end
+
+    def uri
+      "winrm://#{options[:user]}@#{options[:endpoint]}:#{@rdp_port}"
+    end
+
+    private
+
+    PING_COMMAND = "Write-Host '[WinRM] Established\n'".freeze
+
+    def file_via_connection(path)
+      Train::File::Remote::Windows.new(self, path)
+    end
+
+    def run_command_via_connection(command, &data_handler)
+      return if command.nil?
+      logger.debug("[WinRM] #{self} (#{command})")
+      out = ''
+
+      response = session.run(command) do |stdout, _|
+        yield(stdout) if data_handler && stdout
+        out << stdout if stdout
+      end
+
+      CommandResult.new(out, response.stderr, response.exitcode)
+    end
+
+    # Create a local RDP document and return it
+    #
+    # @param opts [Hash] configuration options
+    # @option opts [true,false] :mac whether or not the document is for a
+    #   Mac system
+    # @api private
+    def rdp_doc(opts = {})
+      host = URI.parse(options[:endpoint]).host
+      content = [
+        "full address:s:#{host}:#{@rdp_port}",
+        'prompt for credentials:i:1',
+        "username:s:#{options[:user]}",
+      ].join("\n")
+
+      content.prepend("drivestoredirect:s:*\n") if opts[:mac]
+
+      content
+    end
+
+    # @return [Winrm::FileManager] a file transporter
+    # @api private
+    def file_manager
+      @file_manager ||= begin
+        # Ensure @service is available:
+        wait_until_ready
+        WinRM::FS::FileManager.new(@service)
+      end
+    end
+
+    # Builds a `LoginCommand` for use by Linux-based platforms.
+    #
+    # TODO: determine whether or not `desktop` exists
+    #
+    # @return [LoginCommand] a login command
+    # @api private
+    def login_command_for_linux
+      args  = %W( -u #{options[:user]} )
+      args += %W( -p #{options[:pass]} ) if options.key?(:pass)
+      args += %W( #{URI.parse(options[:endpoint]).host}:#{@rdp_port} )
+      LoginCommand.new('rdesktop', args)
+    end
+
+    # Builds a `LoginCommand` for use by Mac-based platforms.
+    #
+    # @return [LoginCommand] a login command
+    # @api private
+    def login_command_for_mac
+      LoginCommand.new('open', rdp_doc(mac: true))
+    end
+
+    # Builds a `LoginCommand` for use by Windows-based platforms.
+    #
+    # @return [LoginCommand] a login command
+    # @api private
+    def login_command_for_windows
+      LoginCommand.new('mstsc', rdp_doc)
+    end
+
+    # Establishes a remote shell session, or establishes one when invoked
+    # the first time.
+    #
+    # @param retry_options [Hash] retry options for the initial connection
+    # @return [Winrm::CommandExecutor] the command executor session
+    # @api private
+    def session(retry_options = {})
+      @session ||= begin
+        opts = {
+          retry_limit: @connection_retries.to_i,
+          retry_delay: @connection_retry_sleep.to_i,
+        }.merge(retry_options)
+
+        opts[:operation_timeout] = @operation_timeout unless @operation_timeout.nil?
+        @service = ::WinRM::Connection.new(options.merge(opts))
+        @service.logger = logger
+        @service.shell(:powershell)
+      end
+    end
+
+    # String representation of object, reporting its connection details and
+    # configuration.
+    #
+    # @api private
+    def to_s
+      options_to_print = @options.clone
+      options_to_print[:password] = '<hidden>' if options_to_print.key?(:password)
+      "#{@username}@#{@hostname}<#{options_to_print.inspect}>"
+    end
+  end
+end

data/lib/train/version.rb

@@ -3,5 +3,5 @@
 # Author:: Dominik Richter (<dominik.richter@gmail.com>)
 
 module Train
-  VERSION = '2.0.5'.freeze
+  VERSION = '2.0.8'.freeze
 end

metadata

@@ -1,15 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: train-core
 version: !ruby/object:Gem::Version
-  version: 2.0.5
+  version: 2.0.8
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-10 00:00:00.000000000 Z
+date: 2019-04-19 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: mixlib-shellout
   requirement: !ruby/object:Gem::Requirement
@@ -31,12 +51,32 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '4.0'
 - !ruby/object:Gem::Dependency
-  name: json
+  name: net-ssh
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.8'
+        version: '2.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: net-scp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
@@ -46,11 +86,67 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.8'
+        version: '1.2'
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
-description: A minimal Train with a selected set of backends, ssh, winrm, and docker.
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: bcrypt_pbkdf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: winrm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: winrm-fs
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: A minimal Train with a backends for ssh and winrm.
 email:
 - drichter@chef.io
 executables: []
@@ -93,6 +189,10 @@ files:
 - lib/train/plugins/transport.rb
 - lib/train/transports/local.rb
 - lib/train/transports/mock.rb
+- lib/train/transports/ssh.rb
+- lib/train/transports/ssh_connection.rb
+- lib/train/transports/winrm.rb
+- lib/train/transports/winrm_connection.rb
 - lib/train/version.rb
 homepage: https://github.com/inspec/train/
 licenses: